When managing the information technology infrastructure there are a number of security and legal factors which require consideration and planning. Balancing the needs of the individual against the security and legal responsibility of the computer system, network and business requires careful planning as well as support from the business owners.

Included in this article are a number of areas which should be considered under a typical information technology security review.

1) Business Use of Home Software

Home, teaching or student based software is not licensed for business use on a regular basis – doing so contravenes the license agreement of the software and puts the company at risk of prosecution.  In addition a number of software license agreements specifically state the relevant software must not be used for any business use – therefore business users should always thoroughly read the user license agreement carefully (see The unspoken software licensing debacle).

Breaching a software license in this way can be considered as software piracy which is a criminal offence in the UK. Users should be reminded that, in the case of software piracy, ignorance is not an excuse.

For regular business use VPN access software should be made available to appropriate users in order to provide access to the business computer systems. If users require access to the business applications and do not currently have access to their employers VPN connection they should contact their line managers, or appropriate representative, in the first instance in order to ascertain the real requirement – as there may be additional costs involved in the provision of remote connections.

2) Using Personal Equipment For Business Use

Other than policies, these days, there is really very little preventing an employee from bringing in their own personal computing equipment and using it for business use – be it a personal mobile phone, a USB memory stick, a PDA, or storage on MP3 Players. USB memory sticks, in particular, are becoming a common way to carry around and exchange business data – as risky as that may seem.

If users do take their personal computing equipment to work for regular business use the employee should, at least, consider any insurance impact (for example if the personal device is lost or damaged in the line of business) and ensure data contained upon the device is suitably protected using:

• Appropriate and up-to-date anti-virus software
• Appropriate and up-to-date anti-spam software
• Appropriate and up-to-date firewall software
• Password or other appropriate control on the device in cast it is lost or misplaced
• Installed software used for business must be appropriately licensed for business use – these licenses should be made available when required.
• The device must be kept up to date with all critical and important security updates where appropriate

The business also needs to consider their options to ensure the user is not using any unlawful or risky software such as peer-to-peer sharing sites, other VPN tunnels, web proxy servers, or instant messaging mechanisms which could place business data at risk.

The ideal scenario would be to urge users not to bring personal computing equipment in from home as the risk is too high.

3) Network Access Control

Business network users should be reminded that only authorised equipment is allowed to connect to the business network. A list of authorised equipment should be maintained and checked regularly.

Users should ideally provide the MAC address of any personal computing device which requires network access through the business network (be this through the wireless access point or cabled network) otherwise access to the network resources could be disallowed.

The business should consider only allowing registered MAC addresses onto the network for additional security measures.

Regular scanning and auditing of the network should be used to reinforce access controls.

4) Personal Email for Business Use

Personal e-mail addresses really should not be used for regular business use – in fact many personal email services state they must not be used for business use and many businesses block free personal email providers such as Hotmail and Yahoo mail as they are often used by spammers.

For one thing using personal email addresses for business cam make the business look unprofessional and interfere with legal responsibilities by the business to be able to e-discover all electronic communications.

As mentioned some businesses may choose to block well known personal mail providers to increase security. However, the business should be aware some customers may use this method for their personal communication so the business should attempt to assess the impact prior to commencing such an initiative – is there a trade off between being secure and losing an order?

5) Personal Broadband for business use

It can be easy temptation for an employee to use their personal broadband connection for regular business use, however a number of broadband providers specifically state home provided connections must not be used for business use (see Are you violating your broadband agreement?). In many cases neither the user or the business may be aware of this which is why it is vital to read the terms and conditions of service provision before placing the business at risk.

The business should consider its position of legal risk when allowing employees to use their personal network connections for business use.

6) Use of Web Based Services

In some business there may be nothing stopping end users signing the business up for all manner of web services – the business may not even be aware when this has happened – until it is too late.

Web based services licensed only for personal use should not be used for business use no matter how convenient or feature filled they may seem. In addition there should be a policy in force to ensure valid business email addresses are not used for signing up to personal web based services.

For business related web services a central record of all web services should be maintained together with appropriate licensing documentation.

There is quite a lot of grey area when it comes to using web based services including the use of social media applications such as Twitter, Facebook, LinkedIn and MySpace in a business context. It seems the technology industry is moving to address these issues however the business should consider who is authorised to act and speak on the business behalf and what information they should be authorised to communicate.

Summary

Most of these issues are not simple to address and require a great deal of consideration, understanding, planning and support from both the business owners and the users of the information technology system.

Often, many of the scenarios above may be met because a user or business was not aware of the impact or simply didn’t realise there might be an issue – and many providers may well “turn a blind eye” to say, the use of a home broadband connection for business use. However, the impact of risk to the business may be severe in cases when conditions reach the extreme so it is worth addressing many of these issues well before the damage is done.